Professional Documents
Culture Documents
Risk Based Internal Auditing: Chartered Institute of Internal Auditors
Risk Based Internal Auditing: Chartered Institute of Internal Auditors
A dynamic process
RBIA is at the cutting edge of internal audit practice. As a result, it is an area that is evolving rapidly
and where there is still little consensus about the best way to implement it.
It is more difficult to manage than traditional methodologies. Monitoring progress against an annual
plan that is constantly changing is a challenge. Setting targets and appraising staff may become
more complex.
But the advantages of RBIA are much greater.
Advantages
By following RBIA internal audit should be able to conclude that:
1. Management has identified, assessed and responded to risks above and below the risk appetite
2. The responses to risks are effective but not excessive in managing inherent risks within the risk
appetite
3. Where residual risks are not in line with the risk appetite, action is being taken to remedy that
4. Risk management processes, including the effectiveness of responses and the completion of
actions, are being monitored by management to ensure they continue to operate effectively
5. Risks, responses and actions are being properly classified and reported.
This enables internal audit to provide the board with assurance that it needs on three areas:
1. Risk management processes, both their design and how well they are working
2. Management of those risks classified as 'key', including the effectiveness of the controls and
other responses to them
3. Complete, accurate and appropriate reporting and classification of risks
Read more about the benefits and drawbacks of RBIA
Implementation of RBIA
The implementation and ongoing operation of RBIA has three stages and we have produced detailed
guidance on each of them:
29 May 2014
5. Work with management to identify any actions they propose to take as a result
of this assessment.
Management may suggest consulting assignments for internal audit such as, for example,
facilitating management's efforts to improve their risk management processes.
Assurance strategies
For risk enabled and risk managed organisations, the conclusion on risk maturity is the first step in
being able to provide assurance on risk management processes, management of key risks and
reporting of risks. The internal audit activity's assurance strategy is therefore to provide assurance
on these areas.
For other organisations, the conclusion on risk maturity means that such assurances are not
available.
Those in risk defined organisations may be able to identify risk management policies or pockets of
risk management excellence and be able to plan to provide assurance on these elements.
Otherwise, internal audit should plan to provide assurance that control processes are working
according to the objectives or standards that have previously been set.
Consulting strategies
In less risk mature organisations, internal audit may wish to set aside time to champion the
introduction and improvement of risk management processes. The aim of this type of consulting
activity is to improve the risk maturity of the organisation.
Internal audit should approach the work in such a way that management retains a sense of
ownership of the processes that are being developed.
The IIA's International Standards 4 define consulting activities as advisory services, the nature and
scope of which are agreed with the client and which do not involve the internal auditor assuming any
management responsibility. Our position statement on The Role of Internal Audit in Enterprise-wide
Risk Management provides further guidance on the roles that you may undertake and those that
you may not.
In risk enabled and risk managed organisations, the need to improve risk management processes is
less pressing than in less risk mature organisations and may be part of the framework itself. As a
result, less resource may be needed for consulting work.
market risk in a bank, but risk aware for another type of risk.
In this case, internal audit should not conclude that the whole organisation is risk managed. It
should report the dangers of having a patchwork of risk maturities and devise audit strategies
separately for the different parts of the organisation.
Next: Production of the audit plan
Appendices
Guidance on implementing key aspects of RBIA methodology:
A: Assessing the organisation's risk maturity
B: Guidance on assigning audit conclusions
Illustrations of how you might document parts of the risk management framework
and RBIA:
C: Risk register (part)
D: Audit universe (part)
E: Risk and audit universe (part)
F: Audit plan (April 2005 - March 2006)
G: Individual audit database for expense purchasing (part)
13 October 2014
Information requirements
Stage 1 should have provided the background needed to understand how management identifies
and evaluates risks and how and where the rest of the information needed is recorded.
The risk register, or attached documents, show responses, actions and monitoring controls:
the responses that management believe exist to manage key risks
the actions that are being taken to add, delete or modify existing responses where they do not
currently bring risk within the risk appetite
the monitoring controls used by management to ensure that all these elements of the framework
are working.
Internal audit should also obtain from the audit committee and the management team guidance
about the nature of the objective assurance they want from the internal audit activity. These are
called the assurance requirements. They may be explained in a separate document or as part of
the risk register, or they may be identified as a result of discussions with the people involved.
In RBIA the role of internal audit is not to create any of this information but to be able to interpret it
and to use it for planning purposes.
Reponse to risk
Processes to audit
Tolerate a risk
Transfer a risk
Treat a risk
The size of the inherent risks managed by the response: the bigger the risk, the higher the
priority.
The contribution that the response makes in managing risks so that the more the response
reduces the risk, the higher the priority. For example, where a risk is managed using a single
response, say a treatment, the control score - (the difference between the inherent risk and the
residual risk) - is the contribution of that response. However, the control score for some risks may
be divided among different responses, which needs to be taken into account.
The number and nature of other available assurances that the response is operating effectively.
Where several groups provide assurance on a single response, it may have a lower priority.
Those categories of risks on which the audit committee requires objective assurance each period.
All the audits to be included in the plan should have now been determined. However, many
organisations add audits based on criteria other than risk. Such criteria might include areas subject
to change, mandatory audits or audits requested by management.
This is a reason to 'sense check' the RBIA work so far because any topic worthy of audit should
have surfaced through the risk management framework.
For example, considerable change happening in an area could result in increases in the likelihood
of a risk event materialising and this should be visible in the risk register.
If an audit has to be included by management request, then it is displacing an audit included on the
basis of risk scores and management should justify this substitution.
Appendices
Guidance on implementing key aspects of RBIA methodology:
A: Assessing the organisation's risk maturity
Illustrations of how you might document parts of the risk management framework
and RBIA:
C: Risk register (part)
D: Audit universe (part)
E: Risk and audit universe (part)
F: Audit plan (April 2005 - March 2006)
G: Individual audit database for expense purchasing (part)
29 May 2014
deciding on appropriate remedial actions, including all and any changes to the risk register.
If this is a big change in the style of the internal audit activity, the effort required to implement it
properly should not be underestimated. Internal audit may need to play a bigger role in drafting and
delivering reports for the first months of implementing RBIA.
To complete the RBIA steps and stages the findings from individual assignments are fed back into
the overview of the organisation begun in Stage 1 because:
The findings may change the conclusions on risk maturity and may need to be reflected
throughout the audit plan the next time it is updated.
The findings need to be reflected in the reporting of risks so that management and the audit
committee understand where objective assurance has been provided.
audit work
the risk management framework
the external environment
the objectives of the organisation.
Audit work gathers evidence on the risk maturity of the organisation which is fed back into the
assessment.
The risk management framework is a dynamic construction, dependent on people to operate
effectively, and it takes continuous effort to keep it working well.
As the external environment and the objectives of the organisation change, the circumstances and
context of potential risk events also change so that the risk register needs to evolve as time
passes.
Next: Benefits and drawbacks of RBIA
Appendices
Guidance on implementing key aspects of RBIA methodology:
A: Assessing the organisation's risk maturity
B: Guidance on assigning audit conclusions
Illustrations of how you might document parts of the risk management framework
and RBIA:
C: Risk register (part)
D: Audit universe (part)
E: Risk and audit universe (part)
F: Audit plan (April 2005 - March 2006)
G: Individual audit database for expense purchasing (part)
29 May 2014
to take and what reporting it needs to provide to the next level of management.
As a result, the head of internal audit may be required to market the benefits and the need for
internal audit. A much higher profile may be necessary in non-financial areas in order to pave the
way for audits that managers can understand and support. The implications for staff expertise are
discussed overleaf.
Achieving targets
RBIA is an effective way to achieve targets set for the internal audit activity, such as:
The compilation of an audit plan which ensures the internal audit activity fulfils its charter
Gaining acceptance from management that it takes appropriate action to manage risks within the
risk appetite;
Provision of objective assurance in the three areas of risk management normally required; and
Keeping within the budget set for the activity.
Audit resources
RBIA justifies the number of auditors required. The audit plan, including the resources required, is
driven by the proportion of processes and risks on which the audit committee requires objective
assurance.
This differs from alternative approaches, where the resources available determine the audits which
can be carried out.
Staff expertise
Internal auditors engaged in RBIA require more people and business skills, such as interviewing,
influencing, facilitating and problem solving.
The expansion of the audit universe to cover all risks threatening the organisation's objectives
requires the internal auditor to conclude on the design and operation of responses to risks in areas
that may be new.
The relevance of any test can be seen in relation to the opinion on the entire risk management
framework because of the relationships set up in the risk and audit universe.
RBIA provides an audit trail from an individual audit report back through tests, processes and risks
to objectives, and forward to the audit committee report on whether those objectives are threatened.
Webinar on RBIA
Stephen Maycock talks about how RBIA might be applied within a range of internal audit processes
in our free webinar